"An
SP is the consumer of identity attributes provided by the IdP through a
SAML assertion. SP integration involves passing the identity attributes
from PingFederate to the target SP application. The SP application uses
this information to set a valid session or other security context for
the user represented by the identity attributes. Session creation can
involve a number of approaches, and as for the IdP, Ping Identity offers
commercial integration kits that address the various SP scenarios. Most
SP scenarios involve custom-application integration, server-agent
integration, integration with an IdM product, or integration with a
commercial application.

Custom
Applications: many applications use their own authentication
mechanisms, typically through a database or LDAP repository, and are
responsible for their own user-session management. Custom-application
integration is necessary when there is limited or no access to the Web
or application server hosting the application. Integration with these
custom applications is handled through application-level integration
kits, which allow software developers to integrate their applications
with a PingFederate server acting as an SP.

With
these integration kits, PingFederate sends the identity attributes from
the SAML assertion to the SP application, which can then use them for
its own authentication and session management. As for the IdP,
application-specific integration kits include an SP agent, which resides
with the SP application and provides a simple programming interface to
extract the identity attributes sent from the PingFederate server. The
information can be used to start a session for the SP application.

In
addition, Ping Identity provides an Agentless Integration Kit, which
allows developers to use direct HTTP calls to the PingFederate server to
temporarily store and retrieve user attributes securely, eliminating
the need for an agent interface."

(2) Vulnerability Details:

PingFederate 6.10.1 SP Endpoints web
application has a computer security bug problem. It can be exploited by
Unvalidated Redirects and Forwards (URL Redirection) attacks. This
could allow a user to create a specially crafted URL, that if clicked,
would redirect a victim from the intended legitimate web site to an
arbitrary web site of the attacker's choosing. Such attacks are useful
as the crafted URL initially appear to be a web page of a trusted site.
This could be leveraged to direct an unsuspecting user to a web page
containing attacks that target client side software such as a web
browser or document rendering programs.

Other
similar products 0day vulnerabilities have been found by some other bug
hunter researchers before. PingFederate has patched some of them. Web
Security Watch is an aggregator of security reports coming from various
sources. It aims to provide a single point of tracking for all publicly
disclosed security issues that matter. "Its unique tagging system
enables you to see a relevant set of tags associated with each security
alert for a quick overview of the affected products. What's more, you
can now subscribe to an RSS feed containing the specific tags that you
are interested in - you will then only receive alerts related to those
tags." It has published suggestions, advisories, solutions details
related to website vulnerabilities.